TY - GEN
T1 - An optimal distributed discrete log protocol with applications to homomorphic secret sharing
AU - Dinur, Itai
AU - Keller, Nathan
AU - Klein, Ohad
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2018.
PY - 2018/1/1
Y1 - 2018/1/1
N2 - The distributed discrete logarithm (DDL) problem was introduced by Boyle et al. at CRYPTO 2016. A protocol solving this problem was the main tool used in the share conversion procedure of their homomorphic secret sharing (HSS) scheme which allows non-interactive evaluation of branching programs among two parties over shares of secret inputs. Let g be a generator of a multiplicative group G. Given a random group element gx and an unknown integer (formula presented) for a small M, two parties A and B (that cannot communicate) successfully solve DDL if (formula presented). Otherwise, the parties err. In the DDL protocol of Boyle et al., A and B run in time T and have error probability that is roughly linear in M/T. Since it has a significant impact on the HSS scheme’s performance, a major open problem raised by Boyle et al. was to reduce the error probability as a function of T. In this paper we devise a new DDL protocol that substantially reduces the error probability to O(M· T-2). Our new protocol improves the asymptotic evaluation time complexity of the HSS scheme by Boyle et al. on branching programs of size S from O(S2) to O(S3/2). We further show that our protocol is optimal up to a constant factor for all relevant cryptographic group families, unless one can solve the discrete logarithm problem in a short interval of length R in time (formula presented). Our DDL protocol is based on a new type of random walk that is composed of several iterations in which the expected step length gradually increases. We believe that this random walk is of independent interest and will find additional applications.
AB - The distributed discrete logarithm (DDL) problem was introduced by Boyle et al. at CRYPTO 2016. A protocol solving this problem was the main tool used in the share conversion procedure of their homomorphic secret sharing (HSS) scheme which allows non-interactive evaluation of branching programs among two parties over shares of secret inputs. Let g be a generator of a multiplicative group G. Given a random group element gx and an unknown integer (formula presented) for a small M, two parties A and B (that cannot communicate) successfully solve DDL if (formula presented). Otherwise, the parties err. In the DDL protocol of Boyle et al., A and B run in time T and have error probability that is roughly linear in M/T. Since it has a significant impact on the HSS scheme’s performance, a major open problem raised by Boyle et al. was to reduce the error probability as a function of T. In this paper we devise a new DDL protocol that substantially reduces the error probability to O(M· T-2). Our new protocol improves the asymptotic evaluation time complexity of the HSS scheme by Boyle et al. on branching programs of size S from O(S2) to O(S3/2). We further show that our protocol is optimal up to a constant factor for all relevant cryptographic group families, unless one can solve the discrete logarithm problem in a short interval of length R in time (formula presented). Our DDL protocol is based on a new type of random walk that is composed of several iterations in which the expected step length gradually increases. We believe that this random walk is of independent interest and will find additional applications.
KW - Discrete logarithm
KW - Discrete logarithm in a short interval
KW - Fully homomorphic encryption
KW - Homomorphic secret sharing
KW - Random walk
KW - Share conversion
UR - http://www.scopus.com/inward/record.url?scp=85052384386&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-96878-0_8
DO - 10.1007/978-3-319-96878-0_8
M3 - Conference contribution
AN - SCOPUS:85052384386
SN - 9783319968773
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 213
EP - 242
BT - Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings
A2 - Shacham, Hovav
A2 - Boldyreva, Alexandra
PB - Springer Verlag
T2 - 38th Annual International Cryptology Conference, CRYPTO 2018
Y2 - 19 August 2018 through 23 August 2018
ER -